Free module to manage Group Policy Preferences with PowerShell

I’ve used Group Policy Preferences since it had been Policy Maker. I’ve always used it through the GUI but a couple of months ago I thought: Why don’t we use PowerShell for this?
Apparently, the answer is “because there is no cmdlets available”. Yes, there is Group Policy Automation Engine, but it is a paid close-source product. The built-in GroupPolicy module just does not have cmdlets for GP Preferences (only one section is covered by it – Registry).

All that lead me to starting an open-source project to PowerShellize GPP: https://github.com/exchange12rocks/PSGPPreferences
The module is at a beginning stage, but you can already install it through the Gallery: https://www.powershellgallery.com/packages/PSGPPreferences/

Currently the module allows you only to create / delete / manage groups (not even users), but I hope to add other sections relatively fast, since the foundation has been implemented.
Right now the most difficult, but crucial task is writing tests – w/o tests regressions are quite likely. That’s why it is next in the roadmap.

How to decrypt Plesk passwords on Windows

Plesk uses symmetrical encryption for many passwords in its internal MySQL database “psa”. There are several decryption scripts exist, but none for Plesk on Windows so far. This blog post is to finally change it.

You can find symmetrically encrypted passwords in these tables in Plesk’s “psa” database:

  • accounts (collumn password)
  • databaseservers (collumn admin_password)
  • dsn (collumn cstring)
  • longtaskparams (a record called oldBackupkey – a parameter for backup-encrypt-task (see the longtasks table))
  • misc (collumn aps_password)
  • servicenodeconfiguration (collumn value for the section MailGate / password)
  • smb_users (collumn password)

Symmetrically encrypted passwords look like this: “$AES-128-CBC$ABNK35ZcqnbTYT4Q3mbaEA$HmGDWmtym6K3+kJ8uBoJOg”:
They start with “$AES-128-CBC$”. Then between the second and the third dollar signs there is an AES initialization vector. After that, until the end of the string, we have the encrypted data itself.

In Linux the symmetric key, which Plesk uses to encrypt all these passwords, is located in /etc/psa/private/secret_key. In Windows they put it in registry: HKLM:\SOFTWARE\WOW6432Node\PLESK\PSA Config\Config\sym_key\sym_key

To retrieve an encrypted password, use your favorite MySQL tool to connect to the database and copy it from there.

Note

To learn how to connect to the “psa” database, see this and also here.

Copy a password you want to decrypt and pass in to the -EncryptedString parameter of the script below. Mind, that you must run the script on the same server where you have that instance of Plesk installed, otherwise it won’t be able to extract the symmetric key. If you want to decrypt passwords on a different machine, you need to pass the symmetric key manually to the script’s -SymmetricKey parameter.

See also:

https://gist.github.com/gnanet/99f5e284c0f71032498625368ba67659
https://www.besuchet.net/2016/06/plesk-11-encrypted-hashed-password-authentication-php-on-psa-database/
https://mor-pah.net/2014/03/05/decrypt-plesk-11-passwords/
https://codeforcontent.com/blog/using-aes-in-powershell/